SPEAR PHISHING UNDERSTANDING THE THREAT

Transcription

1 SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation s reliance on and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business network. Reliance on and the internet brings vulnerabilities which must be recognised and addressed appropriately. The IT security community has assessed that Spear Phishing is a remarkably effective cyber-attack technique and its use to gain access to business systems is unlikely to decline in the near future. This paper describes how Spear Phishing attacks work, the likelihood of being targeted and the steps an organisation can take to manage the business risks. Key points Spear Phishing is a targeted form of deception. Most targeted attacks against an organisation begin with a Spear Phishing . Spear Phishing has a high success rate and its use as a means of attack looks set to continue. Successful attacks can result in exploitation or compromise of individual devices and organisational networks. This can have significant implications for an organisation. The risk from Spear Phishing can be reduced through good educational awareness and effective technical controls. Disclaimer Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation or favour by CPNI. The views and opinions of authors expressed within this document shall not be used for advertising or product endorsement purposes. To the fullest extent permitted by law, CPNI accepts no liability for any loss or damage (whether direct, indirect or consequential, and including but not limited to, loss of profits or anticipated profits, loss of data, business or goodwill) incurred by any person and howsoever caused arising from or connected with any error or omission in this document or from any person acting, omitting to act or refraining from acting upon, or otherwise using the information contained in this document or its references. You should make your own judgment as regards use of this document and seek independent professional advice on your particular circumstances. Page 1 of 7

2 Introduction Phishing is a form of deception used by a range of adversaries in an attempt to obtain sensitive information or cause disruption to an organisation s business operations. Spear Phishing is a more targeted version of phishing where an adversary conducts online reconnaissance against an individual or organisation in order to construct an which appears to be of significant interest to those targeted. The is designed to persuade the target individual to open a file attachment or click on a website link. In doing so, malicious software (or malware) is executed, designed to exploit and compromise the individual s IT device. Spear Phishing attacks are persistent and often have a high success rate as they are able to bypass traditional security defences and exploit vulnerable software. Reconnaissance An adversary will use information sources (free and subscription-based) to build background knowledge of a target individual or organisation. This information found online is called Open Source Intelligence (OSINT) and the process of collecting it is known as Reconnaissance. Organisations share information across the internet via their public website or social media sites. This information may be published by themselves or by their business partners. An adversary will aim to acquire as much information about a target as possible, as the more information they have available, the greater the chance the Spear Phishing will be seen as a legitimate communication. Research conducted as part of CPNI OSINT studies included investigation into online information relating to a number of participating companies. This highlighted the information an adversary would look to obtain when conducting a Spear Phishing attack; this information includes staff contact details, organisation charts, job descriptions and technical information such as IP addresses, project names and software versions in use within an organisation. To construct a successful Spear Phishing attack, an adversary requires a target address. Using search engines, an adversary will look for online profiles which contain contact details of a target individual. If an address is not within the contact information, an adversary may attempt to guess the address, by trying a common format such as Adversaries will often send Spear Phishing s to a range of plausible addresses to determine a valid address. CPNI has published guidance, entitled Online Reconnaissance How your internet profile can be used against you which describes this scenario in further detail. 1 1 See CPNI guidance on Online Reconnaissance Page 2 of 7

3 Construction and delivery of Spear Phishing s After conducting online reconnaissance an adversary now has enough information to create a Spear Phishing . The will include all information discovered through the reconnaissance phase and contain an attachment or website link which is of interest to the target. The adversary will then attempt to alter the to make it appear as if the message was sent from a trusted contact of the target individual. An which appears to be from a trusted contact increases the likelihood of a successful compromise. Attachments contained within Spear Phishing s will appear as a common file type such as.rtf or.pdf. The name will be of interest to the target, e.g. pay award.pdf When the attachment is opened embedded malicious software is executed designed to compromise the target s IT device. Figure 1 - Top spear-phishing attachment file types (Trend Micro 2012) Links within Spear Phishing s will direct a target individual to a website which, when accessed, will execute malicious software. A common method for an adversary to disguise a compromised website is to compress the address, so it is displayed in a shortened format such as Websites which are compromised appear authentic by having the same design and structure as legitimate websites. It is possible that a legitimate website could also be compromised further increasing the chance of a successful attack. When malicious software is successfully accessed via an attachment or website link, it will seek to exploit vulnerabilities in a target operating system or web browser. Figure 2 describes the stages in a Spear Phishing attack and how the adversary will look to exploit an organisation s network. Page 3 of 7

4 Stages involved in a Spear Phishing attack CPNI uses the Cyber Kill chain developed by Lockheed Martin 2 as a representation of the stages involved in an effective cyber-attack. For a Spear Phishing attack to be successful, the following stages are present: Reconnaissance: In the reconnaissance phase an adversary browses websites, downloads PDFs, and learns about the internal structure of a target organisation. Weaponization: In this phase the adversary places malicious code into a delivery vehicle such as an attachment or website. Delivery: The delivery phase involves the transfer of malicious content to the target in some form. In the case of Spear Phishing this is via . Figure 2 - Spear Phishing stages 2 Defense.pdf Page 4 of 7

5 Business impact Successful Spear Phishing attacks can have significant implications for organisations. The more serious implications of becoming the target of a cyber-attack are listed below: Theft of sensitive information: An adversary may steal commercially useful information such as trade secrets, merger and acquisition plans, engineering designs, software codes or details of research programmes. This could result in the loss of competitive advantage and have significant financial consequences. Sabotage: Once on a network, an adversary may seek to delete or alter data with the aim of disrupting business operations. Depending on the access level gained, they could make changes to company data, log files, configuration settings, and user passwords or alter code for applications running on the network. Secondary use of compromised machines: An adversary can use a compromised machine to conduct attacks against other individuals or networks. This may involve sending Spear Phishing s to contacts from a compromised user account. This can cause reputational damage to the initial victim organisation, as its customers and suppliers will initially attribute these communications to the sending organisation. Incident response and recovery costs: Investigating and recovering from a compromise can be expensive and time-consuming. The cost will depend on how long the network has been compromised and the steps needed to prevent the risk of an adversary simply being able to reestablish a presence on the network. Page 5 of 7

6 How to defend against Spear Phishing attacks In order to successfully reduce the risks posed by Spear Phishing attacks, organisations should seek to achieve a good balance of educational awareness and effective technical controls. CPNI endorses the Critical Security Controls 3 as an effective way to protect against Spear Phishing and other cyberattacks. This section presents the most relevant Critical Security Controls for defending against Spear Phishing - Security awareness training: An important measure in defending against Spear Phishing attacks is ensuring a high level of security awareness amongst staff. Employees should be educated about the changing nature of Spear Phishing attacks. An adversary will look to exploit an employee s lack of security awareness. There are some questions an employee can ask when receiving an with a suspicious link or attachment. Who is the sender? Can the employee verify it has definitely come from them and is it someone from whom they would expect to receive s on this subject? Is the style of writing consistent with the sender? Does anything appear unusual about the tone, spelling or urgency of the ? Is the request out of the ordinary (e.g. to open a file the user wasn t expecting)? Have other colleagues received a similar ? These questions can begin to help employees identify Spear Phishing s. When training staff, it is important to make them aware of company policies regarding communications and security. Organisations can look to design their own training package to educate their staff on the threat posed from Spear Phishing using commercially available tools. In the training package, if a user does click on a link or open an attachment in a test , they will be taken through to a training area that helps them gain a better understanding, making them less susceptible to attacks in the future. A number of anti-phishing tools are also available to alert users to phishing content contained within websites and s. These tools offer an advanced level of protection above traditional IT security defences. Boundary defence: Malicious code generated from Phishing s will exploit systems which can reach across the internet. To control the flow of traffic through network borders, organisations should use multi-layered boundary defences such as firewalls, proxies, demilitarised (DMZ) perimeter networks, and networkbased IPS and IDS. It is also critical to filter both inbound and outbound traffic to look for any anomalies that may suggest malicious activity. 3 Critical Security Controls Page 6 of 7

7 Controlled use of administrative privileges: Organisations should aim to minimise administrative privileges and only use administrative accounts where required. If a privileged user opens a malicious attachment or accesses a website with embedded malicious content, malware will be deployed to their IT system with the adversary assuming administrative privileges. With elevated rights, an adversary can install malware and establish a foothold within the network faster than with standard user access rights. Continuous vulnerability assessment and remediation: Most Spear Phishing s aim to exploit known vulnerabilities in software. It is therefore vital to ensure that all systems and software are up to date with the latest patches 4. Patches should be applied to software that is most likely to be targeted by an adversary. It is important that all types of infrastructure are patched, including laptops, mobile devices, desktops, servers, switches and routers. This way, even if a compromised attachment or link is opened, the malware will not be executed. For further information on any of the topics discussed in this paper visit 4 A patch is a small piece of software that is used to correct a problem with a software program or an operating system. Page 7 of 7

idata Improving Defences Against Targeted Attack Summary JULY 2014 Disclaimer: Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does

ONLINE RECONNAISSANCE HOW YOUR INTERNET PROFILE CAN BE USED AGAINST YOU May 2013 Most people and organisations put information about themselves on the web. Companies advertise their work and achievements

CPNI VIEWPOINT CYBER SECURITY ASSESSMENTS OF INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Cyber Security Assessments of Industrial Control Systems Good Practice

SIEM is only as good as the data it consumes Key Themes The traditional Kill Chain model needs to be updated due to the new cyber landscape A new Kill Chain for detection of The Insider Threat needs to

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK 2002 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre

CPNI VIEWPOINT CONFIGURING AND MANAGING REMOTE ACCESS FOR INDUSTRIAL CONTROL SYSTEMS MARCH 2011 Acknowledgements This Viewpoint is based upon the Recommended Practice: Configuring and Managing Remote Access

Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology

FIREWALLS VIEWPOINT 02/2006 31 MARCH 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre for the Protection

THE IMPORTANCE OF CODE SIGNING TECHNICAL NOTE 02/2005 13 DECEMBER 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation

Cyber Essentials Scheme Requirements for basic technical protection from cyber attacks June 2014 December 2013 Contents Contents... 2 Introduction... 3 Who should use this document?... 3 What can these

MITIGATING SECURITY RISK IN THE NATIONAL INFRASTRUCTURE SUPPLY CHAIN A GOOD PRACTICE GUIDE FOR EMPLOYERS April 2015 Disclaimer: Reference to any specific commercial product, process or service by trade

Initiating a dialogue about the security of digital built assets: a guide for managers (with regard to PAS 1192-5, A Specification for security-minded building information modelling, digital built environments

PROTECTING SYSTEMS AND DATA PASSWORD ADVICE DECEMBER 2012 Disclaimer: Reference to any specific commercial product, process or service by trade name, trademark, manufacturer, or otherwise, does not constitute

TECHNICAL NOTE 10/03 DEPLOYMENT GUIDANCE FOR INTRUSION DETECTION SYSTEMS 19 NOVEMBER 2003 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING 20 APRIL 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to

www.contextis.com About About Information Security has a client base including some of the world s most high profile blue chip companies and government organisations. Our strong track record is based above

How to Protect Your Business from Malware, Phishing, and Cybercrime The SMB Security Series Streamlining Web and Email Security sponsored by Introduction to Realtime Publishers by Don Jones, Series Editor

The responsibility of safeguarding your personal information starts with you. Your information is critical and it must be protected from unauthorised disclosure, modification or destruction. Here we are

CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to

Recommended Practice Case Study: Cross-Site Scripting February 2007 iii ACKNOWLEDGEMENT This document was developed for the U.S. Department of Homeland Security to provide guidance for control system cyber

White Paper THE FOUR ATTACK VECTORS TO PREVENT OR DETECT RETAILER BREACHES By James Christiansen, VP, Information Risk Management Executive Summary Security breaches in the retail sector are becoming more

WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in

NATIONAL CYBER SECURITY AWARENESS MONTH Tip 1: Security is everyone s responsibility. Develop an awareness framework that challenges, educates and empowers your customers and employees to be part of the

Sound Business Practices for Businesses to Mitigate Corporate Account Takeover This white paper provides sound business practices for companies to implement to safeguard against Corporate Account Takeover.

MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

WHITE PAPER SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM Why Automated Analysis Tools are not Created Equal SECURITY REIMAGINED CONTENTS Executive Summary...3 Introduction: The Rise

IT Services Applying the CPNI Top 20 Critical Security Controls in a University Environment RUGIT IT Security Group October 2013 1. Introduction Universities UK (UUK) has published a policy briefing on

SMALL BUSINESSES WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY ONE CLICK CAN CHANGE EVERYTHING SMALL BUSINESSES My reputation was ruined by malicious emails ONE CLICK CAN CHANGE EVERYTHING Cybercrime comes

White Paper Spear Phishing Attacks Why They are Successful and How to Stop Them Combating the Attack of Choice for Cybercriminals White Paper Contents Executive Summary 3 Introduction: The Rise of Spear

Small businesses: What you need to know about cyber security March 2015 Contents page What you need to know about cyber security... 3 Why you need to know about cyber security... 4 Getting the basics right...

INSTANT MESSAGING SECURITY February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in part

SECURITY IN CONTEXT LATERAL MOVEMENT: How Do Threat Actors Move Deeper Into Your Network? LEGAL DISCLAIMER The information provided herein is for general information and educational purposes only. It is

1 Cyber-attacks frequently take advantage of software weaknesses unintentionally created during development. This presentation discusses some ways that improved acquisition practices can reduce the likelihood

Protecting your business from fraud KEY TAKEAWAYS > Understand the most common types of fraud and how to identify them. > What to do if you uncover fraudulent activity or suspect you are a victim of fraud.

CPNI viewpoint 01/2008 DOMAIN NAME SYSTEM (DNS) may 2008 Abstract This Viewpoint considers some of the security considerations of the Domain Name System and makes some observations regarding how organisations

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current

Cyber Security: Beginners Guide to Firewalls A Non-Technical Guide Essential for Business Managers Office Managers Operations Managers This appendix is a supplement to the Cyber Security: Getting Started

Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning

CYBER SECURITY OPERATIONS CENTRE APRIL 2013 (U) LEGAL NOTICE: THIS PUBLICATION HAS BEEN PRODUCED BY THE DEFENCE SIGNALS DIRECTORATE (DSD), ALSO KNOWN AS THE AUSTRALIAN SIGNALS DIRECTORATE (ASD). ALL REFERENCES

1- A (firewall) is a computer program that permits a user on the internal network to access the internet but severely restricts transmissions from the outside 2- A (system failure) is the prolonged malfunction

SPEAR PHISHING AN ENTRY POINT FOR APTS threattracksecurity.com 2015 ThreatTrack, Inc. All rights reserved worldwide. INTRODUCTION A number of industry and vendor studies support the fact that spear phishing

- 2 - Malware & Botnets The Internet is a powerful and useful tool, but in the same way that you shouldn t drive without buckling your seat belt or ride a bike without a helmet, you shouldn t venture online

Practical Threat Intelligence with Bromium LAVA Practical Threat Intelligence Executive Summary Threat intelligence today is costly and time consuming and does not always result in a reduction of successful

defending against advanced persistent threats: strategies for a new era of attacks agility made possible security threats as we know them are changing The traditional dangers IT security teams have been

AUTOMATED PENETRATION TESTING PRODUCTS Justification and Return on Investment (ROI) EXECUTIVE SUMMARY This paper will help you justify the need for automated penetration testing software and demonstrate

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014 Revision History Update this table every time a new edition of the document is

Running the SANS Top 5 Essential Log Reports with Activeworx Security Center Creating valuable information from millions of system events can be an extremely difficult and time consuming task. Particularly

A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? Drive-by Downloads are a common technique used by attackers to silently install malware on a victim s computer. Once a target website has been weaponized with

TrendLabs Data exfiltration is the final stage of a targeted attack campaign where threat actors steal valuable corporate information while remaining undetected. 1 43% of most serious threats to the company